Skip to content Skip to footer

Priorities in security: where can you improve your performance?

Image: Adobe Stock / Eakrin

For IT professionals, security is a constant worry. Analyst firm Gartner announced that nearly half of security professionals will change roles before 2025, while a quarter said they would change their profession entirely in response to stress.

Similarly, the Chartered Institute of Information Security found that a third of their surveyed members were kept awake at night by job stress.

At the same time, the number of IT security professionals is still below the levels needed across the industry. According to ISC2, there are 3.4 million open roles for cybersecurity professionals worldwide. So how can we support and retain the team members we have at the moment, and ensure that we continue to grow the pipeline of talent that we need, rather than scaring them off?

One answer is to focus your work based on prioritisation, so teams are not overwhelmed. We have to take an approach that is based on fact, so data is king here. We need to understand the real risks that organisations face, and how to help everyone improve their remediation work based on their specific priorities.

Where to put your efforts

To achieve this, we have to look at the volume of issues that we face in context, and where those issues exist. This can help us to avoid any feelings of hopelessness or update fatigue that we might experience, and it can also help to improve overall processes around remediation too.

The Qualys Threat Research Unit looked at data from across our customers on the issues that they faced. Based on analysis of more than six billion data points, the team found that there were five areas where actions were most needed – patching, automation, external facing IT systems, web applications and configuration management. 

To start with patching, the problem might appear to be how many issues now exist. In 2022, there were 25,228 new security vulnerabilities discovered over the course of the year, according to the CVE list. This might make you nervous. However, the number of issues that were actually exploited by malware is much lower, with only 93 vulnerabilities affected. In practice, the vast majority of software vulnerabilities will not be significant risks, so you can prioritise those that are potential threats to deal with first.

However, it is not as simple as it sounds. While information like the Common Vulnerability Scoring System (CVSS) can be useful for judging potential risks around new issues, it is not accurate for every organisation and their specific circumstances. What might be a significant risk to other companies may not affect you due to your deployment characteristics or any mitigations that you have in place, while other issues may be critical for your organisation. Understanding your organisation’s priorities and risk profile will help you define which vulnerabilities are critical ones.

Alongside prioritising issues, you should also be using automation in your patching and remediation processes. Automated deployment can take care of the lower risk level patching that would otherwise take up time for your team. This can take care of problems in common applications or operating systems like Google Chrome or Microsoft Windows, while reducing the risk of any problems and the management overheads for the team. For example, based on our data, automated patching is 36% faster compared to manual updates, and patches are deployed 45% more often.

Look at all your risks in context

Security risks exist across your IT estate, from endpoints and servers through to cloud deployments. To improve your approach, look at where your systems are most exposed to risk regardless of where they are deployed. Alongside tracking endpoints, you should also look at any external-facing IT systems that you have in place.

Recently, file transfer tools have hit the headlines again due to attacks by the Clop ransomware group. These applications are a good example of those IT services that have to be publicly accessible in order to work effectively, so they are commonly targeted by Initial Access Brokers in order to gain access or leak data. Auditing the systems that you have in place will help you understand which applications fit the IAB target profile, and then you can harden your systems so any attack that does succeed will have limited, if any, impact.

Similarly, you should also monitor your web applications for attacks. Web applications can easily be overlooked alongside all the other services and infrastructure that you have in place, so it is important to scan and track any potential problems on a continuous basis. In 2022, our team looked at anonymised data from more than 370,000 applications and found more than 25 million vulnerabilities in total. These issues provided malicious actors with the capability to spread malware in about 24,000 web applications.

Keeping web applications secure involves looking beyond the software deployed, as the biggest category of mistakes we found was misconfigurations. Based on the Open Web Application Security Project Top Ten definition, this covers instances where the web applications themselves are not deployed effectively and can then be subverted by attackers. By understanding this, you can improve your overall risk and security posture and take out some of the most common problems that affect deployments.

Overall, IT security professionals have a huge expanse of different platforms, applications and services to track and look after. Protecting these systems against attack is challenging. Getting the right data across them all is the first step to improving security, but this is only the start. To improve your security posture and reduce risk, look at how you prioritise your efforts around your most critical risks and how you automate deployment to handle other issues. By working smarter across your team and providing them with more ways to rank potential risk, you can focus your efforts on where you can make the most difference. This can reduce stress levels and keep your team engaged.

Paul Baird
Paul Baird
Chief Technical Security Officer UK at Qualys

You may also like

Stay In The Know

Get the Data Centre Review Newsletter direct to your inbox.